[Federal Register Volume 77, Number 62 (Friday, March 30, 2012)]
[Notices]
[Pages 19295-19299]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-7612]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Health Resources and Services Administration


Privacy Act of 1974; Report of an Altered System of Records

AGENCY: Department of Health and Human Services (HHS), Health Resources 
and Services Administration (HRSA).

ACTION: Notice of an Altered System of Records (SOR).

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 1974 
(5 U.S.C. 552a), as amended, the Health Resources and Services 
Administration (HRSA) is publishing a notice to alter the system of 
records for the National Practitioner Data Bank for Adverse Information 
on Physicians and Other Health Care Practitioners, HHS/HRSA/BHPR. The 
System of Records Notice (SORN) 09-15-0054 was last published on 
October 1, 2010 (75 FR 60763). The Health Care Quality Improvement Act 
of 1986, as amended, title IV of Public Law 99-660 (42 U.S.C. 11101 et 
seq.) authorized the Secretary to establish a National Practitioner 
Data Bank (NPDB) to collect and release certain information relating to 
the professional competence and conduct of physicians, dentists, and 
other health care practitioners. By law, the information is releasable 
only to the specific entities described in the SORN. The law requires 
the maintenance of records such as medical malpractice payments, 
adverse licensure and clinical privilege actions, disciplinary actions 
taken by Boards of Medical Examiners, and professional review actions 
taken by entities against physicians, dentists, and other healthcare 
practitioners. Section 1921 of the Social Security Act, as amended, 
expands reporting to the NPDB to authorize maintenance of records of 
adverse licensure actions and negative actions or findings taken by a 
State licensing authority, peer review organization, or private 
accreditation entity against all health care practitioners or 
healthcare entities.
    The primary purpose of this alteration is to publish the Privacy 
Act exemptions that became necessary after implementation of Section 
1921, which entitles law enforcement agencies to access NPDB 
information and which therefore requires a similar exemption from 
certain provisions of the Privacy Act that the Healthcare Integrity and 
Protection Data Bank (HIPDB) has for investigative materials. Because 
some of the records may be queried by law enforcement agencies for 
investigative purposes (i.e., as opposed to employment or other 
purposes), the system will be exempt from certain Privacy Act 
requirements to the extent necessary to avoid revealing law enforcement 
investigative interest and compromising law enforcement investigations. 
Another purpose of this alteration is to add a new routine use 
pertaining to system security, which is being added to other SORNs 
published by HHS.

DATES: As required by the Privacy Act (5 U.S.C. 552a(r)), HRSA filed an 
altered system of records report with the Chair of the House Committee 
on Oversight and Government Reform, the Chair of the Senate Committee 
on Homeland Security and Governmental Affairs, and the Administrator, 
Office of Information and Regulatory Affairs, Office of Management and 
Budget (OMB), on 1/25/12. To ensure all parties have adequate time in 
which to comment, the altered system will become effective 30 days from 
the publication of this notice or 40 days from the date it was 
submitted to OMB and Congress, whichever is later, unless HRSA receives 
comments that require alterations to this notice.

ADDRESSES: Please address comments to Associate Administrator, Bureau 
of Health Professions, Health Resources and Services Administration, 
5600 Fishers Lane, Room 8-103, Rockville, Maryland 20857. Comments 
received will be available for inspection at this same address from 9 
a.m. to 3 p.m. (Eastern Standard Time Zone), Monday through Friday.

FOR FURTHER INFORMATION CONTACT: Director, Division of Practitioner 
Data Banks, Bureau of Health Professions, 5600 Fishers Lane, Room 8-
103, Rockville, Maryland 20857; Telephone: (301) 443-2300. This is not 
a toll-free number.

SUPPLEMENTARY INFORMATION: The National Practitioner Data Bank (NPDB) 
is primarily an alert or flagging system intended to facilitate a 
comprehensive review of health care practitioners' professional 
credentials for the purpose of protecting the public from unfit 
practitioners. On January 28, 2010, the Health Resources and Services 
Administration published a final rule in the Federal Register (75 FR 
4656) designed to implement section 1921 of the Social Security Act 
(herein referred to as section 1921). Section 1921 expands the scope of 
the NPDB. Section 1921 requires each state to adopt a system of 
reporting to the Secretary certain adverse licensure actions taken 
against health care practitioners and health care entities by any 
authority of the state responsible for the licensing of such 
practitioners or entities. It also requires each state to report any 
negative action or finding that a state licensing authority, a peer 
review organization, or a private accreditation entity has finalized 
against a health care practitioner or entity. Practically speaking, 
Section 1921 resulted in, among other consequences, the inclusion of 
the vast majority of information contained in the Healthcare Integrity 
and Protection Data Bank (HIPDB), a companion data bank, in the NPDB.
    The HIPDB was created by the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996, Public Law (Pub. L. 104-191), which 
required the Secretary of HHS, acting through the Office of Inspector 
General (OIG) and the United States Attorney General, to establish a 
new health care fraud and abuse control program to combat health care 
fraud and abuse. Although their purposes are different, together the 
HIPDB and NPDB serve to facilitate review of health care practitioners' 
and entities' backgrounds. The HIPDB is exempt from certain provisions 
of the Privacy Act (see 45 CFR 5b.11(b)(2)(ii)(F)). In order to 
maintain the exemption for the HIPDB investigative materials, which are 
now also available through the NPDB, and other expanded information 
which law enforcement agencies can access, it was necessary to extend 
similar Privacy Act exemptions for the HIPDB to the NPDB. The new 
routine use that is being added for this system pertains to system 
security. It is not specific to the NPDB system; it is being added to 
new, existing, and updated SORNs published by HHS for other systems 
that are affected by the same security requirement.


[[Page 19296]]


    Dated: March 21, 2012.
Mary K. Wakefield,
Administrator.
SYSTEM NUMBER:
    09-15-0054.

SYSTEM NAME:
    National Practitioner Data Bank for Adverse Information on 
Physicians and Other Health Care Practitioners, HHS/HRSA/BHPR.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    A contractor, SRA International, Inc., operates and maintains an 
Internet-based system through a technical service contract for the 
Division of Practitioner Data Banks, Bureau of Health Professions, 
Health Resources and Services Administration. SRA's physical address is 
4350 Fair Lakes Courts, Fairfax, Virginia 22033-4233. This system is 
located at the AT&T Data Center, a secure facility; the street address 
will not be disclosed for security reasons.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system collects and maintains records pertaining to the 
professional competence and conduct of individual health care 
practitioners (doctors, dentists, nurses, allied health care 
professionals, social workers, etc.) and health care entities 
(hospitals, laboratories, pharmacies, etc.).

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system collects and maintains reports and query history 
records. Reports include: (1) Medical malpractice payment reports for 
all health care practitioners, i.e., physicians, dentists, nurses, 
optometrists, pharmacists, and podiatrists, etc.; (2) adverse clinical 
privilege action reports for physicians, dentists, and other healthcare 
practitioners who may have medical staff privileges either restricted 
or surrendered; (3) adverse licensure action reports for physicians, 
dentists and other healthcare practitioners and healthcare entities 
such as a suspension or revocation; (4) adverse professional society 
membership action reports for physicians, dentists, and other health 
care practitioners; (5) reports of the results of formal proceedings by 
a State licensing authority, peer review organization, or private 
accreditation organization concluded against a health care practitioner 
or entity; (6) reports of Medicare/Medicaid exclusions of all 
healthcare practitioners; and (7) reports of adverse actions taken 
against the U.S. Drug Enforcement Administration (DEA) registration of 
all healthcare practitioners.
    Reports may contain the following personally-identifiable data 
elements:
    1. Name;
    2. Work address;
    3. Home address;
    4. Social Security number;
    5. Date of birth;
    6. Name of each professional school attended and year of 
graduation;
    7. Professional license(s) number;
    8. Field of licensure;
    9. Name of the State or Territory in which the license is held;
    10. DEA registration numbers;
    11. CMS unique practitioner identification number (for exclusions 
only);
    12. Names of each hospital with which the practitioner is 
affiliated;
    13. Name and address of the entity making the payment;
    14. Name, title, and telephone number of the official responsible 
for submitting the report on behalf of the entity;
    15. Payment information including the date and amount of payment 
and whether it is for a judgment or settlement;
    16. Date action occurred;
    17. Acts or omissions upon which the action or claim was based;
    18. Description of the action/omissions and injuries or illnesses 
upon which the action or claim was based;
    19. Description of the Board action, the date of action and its 
effective date; and
    20. Classification of the action/omission per reporting code.
    Query histories indicate the dates that an individual health care 
practitioner's report(s) were accessed/queried in the system and by 
whom. Each practitioner's report(s) and query history are available to 
him or her, if the practitioner elects to submit a self-query. However, 
the query history will not include query activity by law enforcement 
agencies, if any, due to the system's exemption.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Health Care Quality Improvement Act of 1986, as amended, title 
IV of Public Law 99-660 [42 U.S.C. 11101 et seq.], and Section 1921 of 
the Social Security Act, as amended.

PURPOSE(S):
    The purpose of the system is to: (1) Receive information such as 
adverse licensure actions on all healthcare practitioners or entities, 
clinical privileges and professional society membership actions on 
physicians and dentists based on professional competence and conduct, 
medical malpractice payment history on all health care practitioners, 
as well as the results of formal proceedings by a State authority, peer 
review organization or private accreditation organization concluded 
against any health care practitioner or entity; (2) store such reports 
so that future queriers may have access to pertinent information 
regarding the review of a health care practitioner and/or a healthcare 
entity in their process of making important decisions related to the 
delivery of health care services; and (3) disseminate such data to 
entities that qualify to receive the reports under the governing 
statutes as authorized by the Health Care Quality Improvement Act of 
1986 and Section 1921 of the Social Security Act to protect the public 
from unfit practitioners and prevent unfit practitioners from providing 
patient care.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Information from this system shall be disclosed to:
    1. Hospitals requesting information, such as, adverse licensure 
actions, medical malpractice payments or exclusions from Medicare and 
Medicaid programs taken against all licensed healthcare practitioners 
such as physicians, dentists, nurses, podiatrists, chiropractors, and 
psychologists. The information is accessible to both public and private 
sector hospitals who can request information concerning a physician, 
dentist or other health care practitioner who is on its medical staff 
(courtesy or otherwise) or who has clinical privileges at the hospital, 
for the purpose of: (a) Screening the professional qualifications of 
individuals who apply for staff positions or clinical privileges at the 
hospital; and (b) meeting the requirements of the Health Care Quality 
Improvement Act of 1986, which prescribes that a hospital must query 
the NPDB once every 2 years regarding all individuals on its medical 
staff or who hold clinical privileges.
    2. Other health care entities, as defined in 45 CFR 60.3, to which 
a physician, dentist or other health care practitioner has applied for 
clinical privileges or appointment to the medical staff or who has 
entered or may be entering an employment or affiliation relationship. 
The purpose of these disclosures is to identify individuals whose 
professional conduct may be unsatisfactory.

[[Page 19297]]

    3. A health care entity with respect to professional review 
activity. The purpose of these disclosures is to aid health care 
entities in the conduct of professional review activities, such as 
those involving determinations of whether a physician, dentist, or 
other health care practitioner may be granted membership in a 
professional society; the conditions of such membership, or of changes 
to such membership; and ongoing professional review activities 
conducted by a health care entity which provides health care services, 
of the professional performance or conduct of a physician, dentist, or 
other health care practitioner.
    4. A State healthcare practitioner and/or entity licensing or 
certification authority can request information expanded by Section 
1921 of the Social Security Act in conducting a review of all 
healthcare practitioners or health entities. A State healthcare 
practitioner and entity licensing or certification authority may also 
request information when making licensure determinations about 
healthcare practitioners and entities. The purpose of these disclosures 
is to aid the board or certification authority in meeting its 
responsibility to protect the health of the population in its 
jurisdiction, by identifying individuals whose professional performance 
or conduct may be unsatisfactory.
    5. Federal and State health care programs (and their contractors) 
can request information reported under Section 1921 of the Social 
Security Act. The purpose of these disclosures is to aid Federal and 
State health programs to ensure the integrity and professional 
competence of affiliated health care practitioners and uncovering 
information needed to make appropriate decisions in the delivery of 
healthcare.
    6. State Medicaid Fraud Control Units (MFCUs) can request 
information reported under Section 1921 of the Social Security Act to 
assist with investigating fraud and prosecution of healthcare 
practitioners and providers in the administration of the Medicaid 
programs.
    7. U.S. Comptroller General can request information reported under 
Section 1921 of the Social Security Act to assist in determining the 
fitness of individuals to provide healthcare services, and protect the 
health and safety of individuals receiving health care through programs 
who employ these individuals.
    8. U.S. Attorney General and other law enforcement agencies can 
request information reported under Section 1921 of the Social Security 
Act to assist with healthcare investigations involving healthcare 
practitioners and healthcare entities. The purpose of the disclosure 
would assist in determining the fitness of individuals to provide 
healthcare services, and protect the health and safety of individuals 
receiving health care through programs who employ these individuals.
    9. Utilization and quality control Peer Review Organizations and 
those entities which are under contract with the CMS can request 
information reported under Section 1921 of the Social Security Act to 
protect and improve the quality of care for Medicare beneficiaries when 
performing quality of care reviews and other related activities.
    10. A physician, dentist, or other health care practitioner can 
request information concerning himself or herself.
    11. An entity that has been reported on may query the system to 
receive information concerning itself.
    12. A person or entity can request statistical information, in a 
form which does not permit the identification of any individual or 
entity pursuant to the procedures established by the Department. An 
example of this disclosure involves researchers who may use statistical 
information to identify the total number of nurses with adverse 
licensure actions in a specific State.
    13. An attorney, or individual representing himself or herself, who 
has filed a medical malpractice action or claim in a State or Federal 
court or other adjudicative body against a hospital, and who requests 
information regarding a specific physician, dentist, or other health 
care practitioner who is also named in the action or claim provided 
that: (a) This information will be disclosed only upon the submission 
of evidence that the hospital failed to request information from the 
NPDB as required by law; and (b) the information will be used solely 
with respect to litigation resulting from the action or claim against 
the hospital. The purpose of these disclosures is to permit an attorney 
(or a person representing himself or herself in a medical malpractice 
action) to have information from the NPDB on a health care 
practitioner, under the conditions set out in this routine use.
    14. Any Federal entity, employing or otherwise engaging under 
arrangement (e.g., such as a contract) the services of a physician, 
dentist, or other health care practitioner, or having the authority to 
sanction such practitioners covered by a Federal program, which: (a) 
Enters into a memorandum of understanding with HHS regarding its 
participation in the NPDB; (b) engages in a professional review 
activity in determining an adverse action against a practitioner; and 
(c) maintains a Privacy Act system of records regarding the health care 
practitioners it employs, or whose services it engages under 
arrangement. The purpose of such disclosures is to enable hospitals and 
other facilities and health care providers under the jurisdiction of 
Federal agencies such as the Public Health Service, HHS; the Department 
of Defense; the Department of Veterans' Affairs; the U.S. Coast Guard; 
and the Bureau of Prisons, Department of Justice, to participate in the 
NPDB. The Health Care Quality Improvement Act of 1986 includes 
provisions regarding the participation of such agencies and of the DEA.
    15. In the event of litigation where the defendant is: (a) The 
Department, any component of the Department, or any employee of the 
Department in his or her official capacity; (b) the United States where 
the Department determines that the claim, if successful, is likely to 
affect directly the operation of the Department or any of its 
components; or (c) any Department employee in his or her individual 
capacity where the Department of Justice has agreed to represent such 
employee, for example in defending a claim against the Public Health 
Service based upon an individual's mental or physical condition and 
alleged to have arisen because of activities of the Public Health 
Service in connection with such individual, disclosures may be made to 
the Department of Justice to enable the Department to present an 
effective defense, provided that such disclosure is compatible with the 
purpose for which the records were collected.
    16. The contractor, SRA International Inc., accesses the system to 
operate and maintain it. These functions include but are not limited to 
providing continuous user availability, develop system enhancements, 
upgrade of hardware and software, security information assurance, and 
system backups.
    17. To appropriate federal agencies and Department contractors that 
have a need to know the information for the purpose of assisting the 
Department's efforts to respond to a suspected or confirmed breach of 
the security or confidentiality of information maintained in this 
system of records, and the information disclosed is relevant and 
necessary for that assistance.

[[Page 19298]]

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are maintained on database servers with disk storage, 
optical jukebox storage, backup tapes and printed reports.

RETRIEVABILITY:
    Records are retrieved by name, date of birth, social security 
number, educational information, and license number. The matching 
algorithm uses these data elements to match reports to the subject.

SAFEGUARDS FOR ACCESSING RECORDS:
    1. Authorized Users include internal users such as the government 
and contractor personnel staff who support the NPDB and are required to 
obtain favorable adjudication for a Level 5 Position of Public Trust. 
New employees of the NPDB and the contractor must attend security 
training, sign a Non-Disclosure Agreement, and sign the Rules of 
Behavior which is renewed annually. Authorized users are given role-
based access to the system on a limited need-to-know basis. All 
physical and logical access to the system is removed upon termination 
of employment. External users, who are responsible for meeting Title IV 
reporting and/or querying requirements to the NPDB, are responsible for 
determining their eligibility to access the NPDB through a self-
certification process which requires completing an Entity Registration 
form. All external users must acknowledge the Rules of Behavior. All 
external users must re-register every two years to access the NPDB. 
Both HRSA and the contractor maintain lists of authorized users.
    2. Physical Safeguards involve physical controls that are in place 
24 hours a day/7 days a week such as identification badge access, 
cipher locks, locked hardware cages, man trap with biometric hand 
scanner, security guard monitoring, and closed circuit TV. All sites 
are protected with fire and environmental safety controls.
    3. Technical Safeguards include firewalls, network intrusion 
detection, host-based intrusion detection and file integrity 
monitoring, user identification, and passwords restrictions. All Web-
based traffic is encrypted using 128 bit SSL and all network traffic is 
encrypted internally.
    4. Administrative Safeguards involve certification and 
accreditation that is required every three years, which authorizes 
operation of the system based on acceptable risk. Security assessments 
are conducted continuously throughout the year to verify compliance 
with all required controls.

RETENTION AND DISPOSAL OF RECORDS:
    HRSA is working with NARA to obtain the appropriate retention 
value.

SYSTEM MANAGER(S) AND ADDRESS:
    Director, Division of Practitioner Data Banks, Bureau of Health 
Professions, Health Resources and Services Administration, Room 8-103, 
Parklawn Building, 5600 Fishers Lane, Rockville, Maryland 20857.

NOTIFICATION PROCEDURE:
    Subject to the exemption from the Privacy Act notification 
procedure requirement, information is available upon request, to the 
persons or entities, or to the authorized agents in such form or manner 
as the Secretary prescribes. Currently, the subject of a report is 
notified via U.S. mail when a report concerning the individual is 
submitted to the NPDB via Subject Notification Document (SND). This 
procedure is unchanged by the exemption.

REQUESTS BY MAIL:
    Practitioners may submit a ``Request for Information Disclosure'' 
to the address under system location for any report on themselves. The 
request must contain the following: Name, address, date of birth, 
gender, Social Security Number (optional), professional schools and 
years of graduation, and the professional license(s). For license, 
include: The license number, the field of licensure, the name of the 
State or Territory in which the license is held, and DEA registration 
number(s). The practitioner must submit a signed and notarized self-
query request.

PENALTIES FOR VIOLATION:
    Submitting a request under false pretenses is a criminal offense 
and subject to a civil monetary penalty of up to $11,000 for each 
violation.

REQUESTS IN PERSON:
    Due to security considerations, the NPDB cannot accept requests in 
person.

REQUESTS BY TELEPHONE:
    Practitioners may provide all of the identifying information stated 
above to the NPDB Customer Service Center operator. Before the data 
request is fulfilled, the operator will return a paper copy of this 
information for verification, signature and notarization.

RECORD ACCESS PROCEDURES:
    Although this system will be exempt from the Privacy Act access 
requirement, the exemption will be limited and discretionary. An 
individual health care practitioner may continue to seek access to his 
or her records in the NPDB by submitting a self-query request form on-
line at: www.npdb-hipdb.hrsa.gov. The requests are submitted over the 
web using the Integrated Query and Reporting Service (IQRS), Query and 
Reporting Extensible Markup Language Service (QRXS), Interface Control 
Document (ICD) Transfer Program (ITP) or the Proactive Disclosure 
Service (PDS). Self-query, as described previously, may be initiated 
via the electronic system and is completed using the conventional mail 
system. Requesters, including self-queries, will receive an accounting 
of disclosure that has been made of their records, if any. The 
exemption will prevent law enforcement query activity from being 
disclosed to the health care practitioner in response to a self-query.
    Notwithstanding the access exemption, a practitioner may request 
access to his or her full query history (i.e., including law 
enforcement query activity, if any), by submitting a written request to 
the System Manager identified above and following the same procedures 
indicated under ``Notification Procedure.'' The request will be 
processed pursuant to the agency's discretionary access authority under 
45 CFR 5b.11(d).

CONTESTING RECORD PROCEDURES:
    Because of the system's exemption, the procedures for disputing a 
NPDB report will not apply to any query history information that is 
exempt from access. The NPDB routinely mails a copy of any report filed 
in it to the subject individual. A subject individual may contest the 
accuracy of information in the NPDB concerning himself or herself and 
file a dispute. To dispute the accuracy of the information, the 
individual must contact the NPDB and the reporting entity to: (1) 
Request for the reporting entity to file correction to the report; and 
(2) request the information be entered into a ``disputed'' status and 
submit a statement regarding the basis for the inaccuracy of the 
information in the report. If the reporting entity declines to change 
the disputed report or takes no actions, the subject may request that 
the Secretary of HHS review the disputed report. In order to seek a 
Secretarial Review, the subject must: (1) Provide written documentation 
containing clear and brief factual information regarding the 
information of the report; (2) submit supporting documentation or 
justification substantiating that the reporting entity's information is 
inaccurate; and (3) submit proof that the subject individual has 
attempted to

[[Page 19299]]

resolve the disagreement with reporting entity but was unsuccessful. 
The Department can only determine whether the report was legally 
required to be filed and whether the report accurately depicts the 
action taken and the reporter's basis for action. Additional detail on 
the process of dispute resolution and Secretarial Review process can be 
found at 45 CFR 60.14 of the NPDB regulations.

RECORD SOURCE CATEGORIES:
    The records contained in the system are submitted by the following 
entities: (1) Insurance companies and others who have made payment as a 
result of a malpractice action or claim, (2) State Boards of Medical 
and Dental Examiners; (3) State Licensing Boards; (4) hospitals and 
other health care entities; (5) DEA; and (6) Federal entities which 
employ health practitioners or who have authority to sanction such 
practitioners covered by a Federal program. Section 1921 of the Social 
Security Act expands reporting of actions submitted by State health 
care practitioner licensing and certification authorities (including 
medical and dental boards), State entity licensing and certification 
authorities, peer review organizations and private accreditation 
organizations.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    The Secretary has exempted this system from certain provisions of 
the Act. In accordance with 5 U.S.C. 552(k)(2) and 45 CFR 
5b.11(b)(ii)(L), this system is exempt from subsections 5 U.S.C. 
552a(c)(3), (d)(1)-(4), (e)(4)(G) and (H), and (f).

[FR Doc. 2012-7612 Filed 3-29-12; 8:45 am]
BILLING CODE 4165-15-P